[bre-1104] update cli npm publish to use oidc (#16214)

* prep workflow for npm OIDC publishing * add node setup step * update environment name * clarify job title * npm versioning testing, will revert * syntax * syntax * temporarily remove dynamic node version * Revert build-cli.yml to main branch version * remove husky install step * pin npm version in setup node step * add comment * more clear comment to show future action needed * formatting
2025-12-21 10:43:35 +00:00 · 2025-09-15 13:57:23 -04:00
parent 0998508738
commit 806111c94f
1 changed files with 14 additions and 26 deletions
--- a/.github/workflows/publish-cli.yml
+++ b/.github/workflows/publish-cli.yml
@@ -183,6 +183,7 @@ jobs:

  npm:
    name: Publish NPM
+    environment: CLI - NPM
    runs-on: ubuntu-22.04
    needs: setup
    permissions:
@@ -195,23 +196,20 @@ jobs:
    steps:
      - name: Checkout repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Get Node version
+        id: retrieve-node-version
+        run: |
+          NODE_NVMRC=$(cat .nvmrc)
+          NODE_VERSION=${NODE_NVMRC/v/''}
+          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT

-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
+      - name: Set up Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "npm-api-key"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
+          node-version: ${{ steps.retrieve-node-version.outputs.node_version }}
+          npm-version: "11.5.1" # FIXME: npm 11.5.1 or later is required to publish w/ OIDC; move version management to somewhere maintainable by automation
+          registry-url: "https://registry.npmjs.org/"

      - name: Download and set up artifact
        run: |
@@ -219,19 +217,9 @@ jobs:
          wget https://github.com/bitwarden/clients/releases/download/cli-v${{ env._PKG_VERSION }}/bitwarden-cli-${{ env._PKG_VERSION }}-npm-build.zip
          unzip bitwarden-cli-${{ env._PKG_VERSION }}-npm-build.zip -d build

-      - name: Setup NPM
-        run: |
-          echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
-        env:
-          NPM_TOKEN: ${{ steps.retrieve-secrets.outputs.npm-api-key }}
-
-      - name: Install Husky
-        run: npm install -g husky
-
      - name: Publish NPM
        if: ${{ inputs.publish_type != 'Dry Run' }}
-        run: npm publish --access public --regsitry=https://registry.npmjs.org/  --userconfig=./.npmrc
+        run: npm publish --access public

  update-deployment:
    name: Update Deployment Status